i think that they're talking about shutting down the source, not the destination. if you deploy it on your own incoming interface, well, gun - foot - bang :-) Jeff Young young@mci.net
From: Regis Donovan <regisdo@microsoft.com> To: "'nanog@merit.edu'" <nanog@merit.edu> Subject: router syn/syn-ack/ack alarming... Date: Tue, 17 Sep 1996 13:23:35 -0700 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.994.24 Encoding: 13 TEXT Sender: owner-nanog@merit.edu Content-Type: text Content-Length: 522
um... maybe i'm missing the clue here, but if the router vendors add something that shuts down an interface if the SYN/SYN-ACK/ACK ratio becomes too bad make it *easier* for me if i'm doing a denial of service attack on a host?
instead of denying service to a given host, all i have to do is drive the router into alarm mode so it shuts off the interface and then i get to deny service to an entire segment and everything downstream from that segment...
here's to better bang for your cracker-kiddie buck... --regis